System and method for secure management of mobile user access to enterprise network resources

ABSTRACT

A system and method are provided for managing mobile user access to enterprise network resources from a wireless mobile device, such as a smart phone or mobile computer, with improved security and access control. Access rules determining accessible resources and associated permitted operations are determined based on membership of an authenticated user to each of one or more groups, each group being associated with a set of permitted accessible resources and operations. For each user, based on membership of a group, or a Boolean evaluation of memberships of two or more groups, a list of accessible resources and permitted operations is generated, and the list is made available for subsequent processes, e.g. presentation to the user on an interface of the mobile device. Access rules may also be defined dependent on other information received from the system, or from the mobile device, such as time or location. Requests for an operation such as read access or write access to a network resource, such as a file, lists, shared calendars et al., may thus be readily controlled by an IT manager for multiple users of an enterprise network. Since the application resides in an application layer between the mobile device and existing security infrastructure, mobile access may be set without overriding internal access policies.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of PCT application No.PCT/CA2008/001704, designating the United States, filed Sep. 30, 2008,the entire contents of which areThis application is a reissue of U.S.patent application Ser. No. 12/488,959, filed Jun. 22, 2009, U.S. Pat.No. 8,275,356, issue date: Sep. 25, 1012, which is acontinuation-in-part of PCT/CA2008/001704, filed Sep. 30, 2008, which isincorporated herein by this reference in its entirety.

TECHNICAL FIELD

This invention relates to systems and methods for managing mobile useraccess to network resources in a secure manner, and particularly relatesto management of user access to resources in an enterprise network(intranet) from wireless mobile devices, such as smart phones, PDAs andother handheld devices, or mobile computers.

BACKGROUND ART

With increasingly mobile workforce, there is a rapid proliferation inthe use of mobile wireless handheld devices, such as Blackberry™ andother smart phones, for both voice communications and emailcommunications.

Although smart phones are widely used for access to corporate email,which is one of the most common business tasks, current interfacesprovide limited, if any, access to internal corporate file systems andother document storage resources within an organization's corporatenetwork (intranet).

For example, although a Blackberry™ user can view email and attachmentsstored in the users Blackberry™ inbox, the user will not be able to viewdocuments located in the office, e.g. stored on a file server, and auser cannot access such a document to attach and email via a Blackberryor other mobile wireless handheld device. Users receiving an emailcontaining a link to a document stored within a corporate network arenot able to access that document on their handheld device. There mayalso be limitations on viewing email attachments in a convenient formaton a small screen. Moreover, since access is provided only toinformation stored in the user's mail box, when a user needs an emailmessage or attachment which is older than a default storage limit,typically 6 months, very often it is not still in the user's Blackberry™inbox.

Access to secure enterprise networks by mobile users may also berestricted, or not be permitted, for business and security reasons.

For good reason, many organizations are concerned about security ofwireless communications “over the air”, and do not permit remote ormobile access to secure corporate network (intranet), except through asecure channel or tunnel, such as provided by a conventional virtualprivate network (VPN). Organizations may restrict access from mobiledevices and/or require employees and authorized users to use onlyapproved enterprise enabled wireless hand handheld device, e.g. aBlackberry™ smart phone which connects to a Blackberry™ Enterpriseserver managed within the corporate network, and which providesappropriate security and access controls specifically for voice andemail services.

There are certain unique security concerns inherent in a mobile wirelessoperating environment.

-   -   Data travels over shared, public and sometimes open networks    -   Mobile handhelds may be misplaced or stolen, exposing sensitive        information    -   A mobile device represents a potentially unmanaged        point-of-entry into the network.    -   Worms and viruses may be transferred to a corporate internal        network via tunnels created using mobile VPN technology.

Remote wireless access to an enterprise network from a handheld or alaptop, or downloading of information to a mobile device may beundesirable, or not permissible for other legal or security reasons,e.g. where there is cross-border restriction on information transfer,export controls, or regional differences in compliance with privacy lawsor other regulatory requirements.

Users working remotely and/or travelling with a laptop, and requiringsecure access to a corporate network to retrieve documents orinformation, typically need to find access to the internet (e.g. via asuitable wired connection or wireless access point), and then arerequired to set up a secure link to the corporate network (intranet)e.g. through a conventional VPN. For security reasons, enterprisesmanaging such a computer network restrict access to network resourcesonly to authorised users within the network, or users logged on througha secure link or tunnel such as a VPN, which require appropriateauthentication of the user. When the user has access to the intranet viaa conventional VPN gateway, access policies may be applied to manageaccess to permitted resources. Each user, e.g. employees or otherauthorized users, may therefore be provided with different accessprivileges associated with each of the various types of resources withina corporate network, e.g an email server (Exchange server), andapplication server (e.g. Sharepoint); file storage (servers, WebDAV).However, wireless mobile users cannot access various types of networkresources in this manner.

Indeed, many organizations seek a way to restrict or expose only certainresources to mobile devices. For example, an organization may not wishto present or make accessible the same resources that would beaccessible via a desktop, or laptop on a VPN, but would rather presentonly a subset of these resources to mobile users.

However, existing systems do not provide an appropriate interface formanaging secure access to enterprise resources of these different typesvia a smart phone or other wireless mobile device, and mobile devices donot currently provide a way of getting a list of different accessibleresources within an existing network.

Consequently, although a Blackberry™ user may access email and filesreceived by email as email attachments, a user of a mobile device suchas a Blackberry™ or other PDA or mobile computer or communicationsdevice connected to wireless communications network has been unable todirectly access other enterprise network resources to retrieve datafiles. Thus, a mobile user has not been able to access documentrepositories, such as Sharepoint, or even open a link within an email todownload documents from a file server. Often, a mobile user may have toresort to contacting the office by phone or email to have someone accessdocuments which are stored on a secure corporate network (intranet) andarrange to have the documents delivered to them, e.g. by fax or email.For users working across time zones, the need to contact someone back atthe office to obtain documents or information may result in time delays,or perhaps an inconvenient wait until the next business day for aresponse.

Thus, it is desirable to enable access to other network resources via amobile device with appropriate management of security.

More recently, where limited security or functionality is acceptable,several companies have proposed solutions that attempt to overcome someaspects of the above-mentioned problems. These include, for example,Pocket VPN by WickSoft, RepliGo™ by Cerienc Inc. and Cortado, a divisionof ThinPrint GmbH. Pocket VPN provides mobile access for text viewing ofdocuments on Windows file servers; Cortado provides access to documentson Windows file servers only, by providing authorized users with accessto files on a designated corporate drive in their corporate network(i.e. Bob sees documents on X: drive, and Susan sees Z: drive) forviewing, printing, or faxing of documents without need for download.RepliGo™ provides document conversion and management which is primarilydirected to facilitating viewing and access to documents on mobiledevices, and printing. Document access is managed by designating sharedfolders for access by authorized users. However, filters are notprovided and thus all authorized users see all of the shared folders onthe network and can view all files. The latter solutions may, therefore,bypass or override security policies which exist within an enterprisenetwork, putting sensitive information at risk. On the other hand, inother solutions, access may be unnecessarily restricted to resourcesthat are not supported or made accessible by the limited scope offunctionality of the specific application.

Thus, these solutions do not provide an IT manager with a desired orappropriate level of control of access policy for individual users ofwireless mobile devices, and which is compatible with a wide range ofnetwork infrastructures. Known solutions also do not provide mobileusers with a convenient way of accessing a listing of availableresources as they would be able to do when logged on with intranetaccess to their internal enterprise network.

Therefore, improved or alternative solutions are desirable to overcomethe limitations of current wireless handheld devices, systems andmethods for accessing network resources in a secure manner, and tofacilitate remote working in an enterprise environment requiring anacceptable and appropriate level of security.

The present invention seeks to overcome, or ameliorate, one or more ofthe above-mentioned disadvantages, or at least provide an alternative.

DISCLOSURE OF INVENTION

One aspect of the present invention provides a method for managing useraccess to a plurality of network resources on an enterprise network froma wireless mobile device, by steps comprising:

determining group membership of a user based on a user ID and attributesof the user, each group having associated therewith a set of resourcesand associated operations for members of the group;

determining access rules for the user based on each group membership ofthe user; generating a list of accessible resources and associatedoperations for the user based on said access rules;

making said list available to a subsequent process for performing anoperation on an accessible resource in accordance with said accessrules.

Advantageously, performing an operation on an accessible resource maycomprise one or more of displaying and otherwise interfacing saidresource to the user for one or more of read, write, execute, modify,delete, email and download. Performing an operation may comprisesynchronizing accessible resources with the mobile device.

Network resources may comprise network resources of different resourcestypes, and the list of accessible resources and operations may compriseaccessible resources of a plurality of different resource types. Thelist of accessible resources may comprise an indication or descriptionof the resource type.

The method may comprise an initial step of receiving from a usercredentials comprising a user ID, and authenticating the user, andretrieving directory information associated with said user to obtainattributes of the user associated with said user ID.

When multiple directory types and systems are supported, the method maycomprise, before retrieving directory information, determining anapplicable directory type of a set of possible directory types, and,after retrieving said directory information, re-encoding saidinformation to a desired or common standardized format.

Another aspect of the invention provides a client server system formanaging access to a plurality of network resources on an enterprisenetwork from a wireless mobile device, comprising:

server means within an enterprise network comprising:

means for receiving identification from a user of a wireless mobiledevice;

means for retrieving from a directory attributes of said user based on auser ID of the user;

means for determining group membership of the user based on said user IDand said attributes, each group having associated therewith a set ofaccess rules defining accessible resources and associated permittedoperations for members of the group;

means for resolving access rules for the user based on group membershipand generating a list of accessible resources and operations for theuser based on said access rules;

means for making said list available for subsequent processing.

Thus, a system and method is provided for an organization to manage useraccess to network resources from a user's mobile device, with improvedsecurity and/or control, based on access rules, which determine who mayaccess what resources, and how. In preferred embodiments, rules comprisemembership lists which determine membership of one or more groups, andresource/operations lists which provide high level descriptors ofresources deemed accessible, and associated permitted operationsassociated with each group membership.

Group based allocation and management of access privileges for networkresources from mobile devices facilitates set up by an enterprise ITmanager and allows access privileges to be rapidly set for large numbersof employees. Access privileges for remote access by mobile devices aremanaged independently of, or separately from, internal securitypolicies, and since they reside in a layer between the access server andthe mobile device, they may be set up so as not to override internalnetwork access policies.

Access rules comprise high level descriptors of one or more of amembership group, a resource, and an associated operation, and mayinclude a membership list and a resource/operations list comprising saiddescriptors. The membership list may comprise a high level descriptordefining criteria for who may access associated resources andoperations.

Yet another aspect of the invention provides a system comprising anaccess control layer for an access server managing mobile user access toresources on an enterprise network, comprising processing means forperforming the steps of:

determining group membership of a user based on a user ID and attributesof the user, each group having associated therewith a set of resourcesand associated operations for members of the group;

determining access rules for the user based on each group membership ofthe user;

generating a list of accessible resources and associated operations forthe user based on said access rules;

making said list available to a subsequent process for performing anoperation on an accessible resource in accordance with said accessrules.

Mobile Documents middleware may run on a dedicated server (MobileDocuments server) within the enterprise network, or in a virtualenvironment, e.g. as part of an existing BES or other mail server, or asa distributed system on multiple servers for load balancing or loadsharing.

In summary, preferred embodiments provide a readily implementedclient-server architecture for:

-   -   authenticating a user of the mobile device for access to        resources on an enterprise network;    -   determining membership groups of the authenticated user based on        directory information;    -   looking up of rules associated with each of said membership        groups to determine which network resources may be accessed by        members of said groups from a mobile device, and what actions or        operations are permissible for those resources;    -   making available to the authenticated user, or other processes,        a list, or index, of (accessible) network resources and        (permitted) associated operations;    -   responding to user requests for access to one or more of said        resources in accordance with said rules.

Embodiments of the invention provide that administrators must explicitlyset rules that allow network resources to be made available to endusers. In this way, the risk of accidentally exposing sensitiveresources is mitigated. Furthermore, since implementation of theappropriate Mobile Documents access control layers does not require anychanges to existing network security infrastructure, security for mobileuser access is implemented in addition to any existing corporatesecurity policies, and does not override existing security policies.

Also provided is client means on the mobile device for presenting ordisplaying a list of accessible resources and operations via agraphical, audible or tactile user interface, and receiving user inputfor initiating a process to performing a permissible operation on anaccessible resource.

Thus, a method is provided by which a mobile device is presented with alist of resources and systems that exist within an existing computernetwork, and associated operations or actions that a mobile user mayperform.

For example Client means on a mobile user device provides a suitableinterface, typically a graphical interface, for presenting a list, orindex, of accessible resources to the mobile user. Resources may beresources of multiple different types to which the user has access, e.g.directories, files, lists. Each resource is associated with permittedoperations for the user of the handheld device, which may be time andlocation dependent. On selecting a desired resource, availableoperations may e.g. be presented to the user in the form of a pull downmenu, offering choices of available operations, such as save/download,open/view, edit, copy, et al., as is conventional. Permitted operationsmay include synchronizing accessible resources with the mobile device.

Systems and methods according to aspects of the present inventionprovide for managing access to enterprise network resources from awireless mobile device, such as a Blackberry, or other smart phone, withan enhanced level of security management and access control. Access(publishing) rules determining accessible resources and associatedpermitted operations are determined based on membership of anauthenticated user to each of one or more groups, each group beingassociated with rules which determine a set of permitted accessibleresources and operations. Rules comprise high level descriptors ofnetwork resources and associated operations for users having amembership of a group. For each user, rules are applied based onmembership of one or more groups. A Boolean evaluation of rulesassociated with memberships of two or more groups may be performed.Thus, a list, or index, of accessible resources and permitted operationsis generated, and the list is made available for presentation to theuser on an interface of the mobile device.

Access rules may also be made dependent on other information receivedfrom the system, or from the mobile device, such as date, time orlocation. Requests for an operation may include e.g., read access orwrite access, to a network resource such as a file, contact list,Exchange folders, Sharepoint list, a web portal, or other networkresource of one or more resource types. By using group memberships,rules may be quickly and conveniently configured and controlled by an ITmanager for multiple users of an enterprise network.

Since control of mobile access resides in an application layer betweenthe mobile device and existing security infrastructure, mobile accesspolicies may be set for mobile users without overriding internal accessor security policies. This approach enables mobile user access toresources that are not otherwise specifically designed to/intended to beaccessed via a mobile device, if a mobile user has appropriatepermissions, i.e., if access rules are met.

Thus, a method is provided by which existing resources, such as a pathto a document on a file server, can be indexed and deemed accessible toan authenticated mobile user or device based on a user identifier, suchas a user name and password, and associated information stored with anexisting directory server, which may be a Microsoft Active Directory,Novell e directory, LDAP directory or other directory type.

The collection, displaying, and/or interfacing of information aboutresources on a computer network is enabled so that said resources maybeviewed, previewed, blocked, denied, interfaced or accessed by a mobiledevice in a secure and useable manner. Users may securely view, email,fax, download and manage documents located in their office, including,for example documents in Novell™ or a contact in SharePoint™, directlyfrom their Blackberry™ smart phone or other mobile wireless handhelddevice. Thus, mobile professionals who need access to their documentsand files from anywhere may be provided with full mobile document accessto selected enterprise network resources, with appropriate enforcementof enterprise security policies.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will now be described in more detail withreference to the accompanying drawings, in which:

FIG. 1 illustrates schematically a simplified view of a networkarchitecture, for implementing a system and method according to anembodiment of the present invention;

FIG. 2 illustrates schematically in more detail a network architecture,for implementing a system and method according to an embodiment of thepresent invention;

FIG. 3 illustrates an overview of steps in a method according to anembodiment;

FIG. 4 illustrates in more detail the steps of section 1 of FIG. 3;

FIG. 5 illustrates in more detail the steps of section 2 of FIG. 3;

FIG. 6 illustrates in more detail the steps of section 3 of FIG. 3;

FIGS. 7A and 7B illustrate screen shots of a user interface on a mobiledevice showing steps in implementing a method of accessing networkresources according to an embodiment of the present invention; and

FIG. 8 illustrates a network architecture for implementing a system andmethod according to another embodiment.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 illustrates schematically network architecture for implementing asystem and method according to an embodiment of the present invention,for managing access to network resources 30 via a wireless network 20from a wireless mobile device 10 of user 5. As shown in FIG. 1, anenterprise network (intranet) may comprise a plurality of networkresources 30 of different types, e.g.: a Directory (e.g. an LDAP oreDirectory) 300; an email server (e.g. Exchange) 302; one or moreapplication servers (e.g. SharePoint) 304; and File storage (servers,WebDAV) 306. Element 100 represents the Wicksoft Mobile Documentstechnology, which provides a security model based on an access controllayer between the enterprise network and the mobile device for managingaccess to the network resources 30 from the mobile device 10, and inthis embodiment comprises middleware residing on a server within theenterprise network, and a corresponding client residing on a user'swireless handheld device, as will be described in more detail withreference to FIG. 2. FIG. 2 illustrates a typical implementation for aBlackberry™ enabled enterprise network (intranet).

The network illustrated in FIG. 2 comprises a Blackberry™ EnterpriseServer (BES) 120, which is accessible, via a firewall 130, from theInternet 24. Located between the BES 120 and the other network resources30 is another server 140, which will be called a Mobile Documents™server 140. A plurality of wireless handhelds 10a, 10b, 10c, 10d, e.g.Blackberry™ Handhelds or other Blackberry™ Connectivity devices forrespective users 5a, 5b, 5c, 5d, are connected to the internet 24 via amobile wireless network 22, i.e. service provider wireless network forvoice and data communications. When used in conjunction with aBlackberry™ Enterprise Server (BES) and Blackberry™ Mobile Data System™(MDS), the Mobile Documents server 140 does not need to be accessiblefrom the Internet or from other computers within the enterprise network.In other words no additional ports or entry points need to be openedinto the enterprise network for the Mobile Documents to function. Thus,this embodiment builds on and extends the inherent security built intothe Blackberry™ infrastructure.

The Mobile Documents middleware 100 sits on the Mobile Documents server140, and exists in a layer between the existing computer networkresources 30 and the mobile handheld devices 10a, 10b, et al. MobileDocuments client 12 resides on the user's wireless handheld device 10.The directory server 300 may be a Microsoft Active Directory, NovelleDirectory, LDAP directory, or other type of directory. While typicallyan organization uses only one type of directory, and Mobile Documentsapplication may be configured to support only one or two directorytypes. Beneficially Mobile Documents supports all common directorytypes, and provides for re-encoding required directory information intoa common standardized format for subsequent processing.

This architecture provides for a system and a method by which for anexisting resource, such as a path to a document on a file server, can bedeemed accessible by a mobile device according to Mobile Document accessRules (alternatively referred to as “terms”, or “publishing rules”, seebelow) based on information stored within an existing directory server300. The access Rules describe who, what and how a mobile user mayaccess or act from a mobile device. Rules can selectively block anynetwork asset from mobile users. Also provided is a system and method bywhich an authenticated user of a mobile device is presented with a listof resources that exist within a computer network to which the user hasaccess privileges via his mobile device, and allowable operationsassociated with each of the resources, which are deemed accessible.Operations may include, for example, one or more of read, write,execute, modify, and delete permissions, or variations thereof,including synchronizing accessible resources with the mobile device.Operations may also include determining if a particular resource shouldbe included when searching for specific items (such as a contact), i.edetermining a sub set of resources to be selected or validated for, orotherwise passed to a subsequent operation. Thus resources may beindexed to indicate whether they should be included in subsequentoperations.

After installation of the middleware on server 140, Rules areestablished initially, and may be modified or updated as required, by anIT administrator. The Rules are used to set permissions to implement adesired level of security policy for the enterprise organization, aswill be described in more detail below. In preferred embodiments, Rulesare established on the basis of membership of one or more groups(described below) which allows an administrator to initiate the systemvery rapidly even in large organizations with 100s or 1000s ofemployees.

In this context, a Rule describes WHO and WHAT and HOW for management ofmobile access. i.e. which mobile user may access what resources, andassociated actions or operations that may be taken from a mobile device.Each rule consists of two parts:

-   -   1. A membership list    -   2. A resource and/or operations list

1. Membership Lists

A membership lists contains criteria defining who may access theresources/operations described by the rule.

This membership list contains user ID, as well as security groupmemberships that correspond to security group memberships in an existingdirectory.

2. Resource/Operations Lists

Resource/Operations list contains a list of resources described by therule, along with other information about the resources (e.g. displayname, resource type) Operations describe actions that are permitted bythe mobile user (such as Download a file, or email a file as anattachment) A rule can be any description of a user, a group of users,or some other criteria, e.g.

{Sales People, Technical staff, Bob}

If the mobile user is Sales Person, Technical Staff, or Bob, this ruleis satisfied.

A rule may contain a list of resources within a computer network, or alist of actions a mobile device may take, e.g.

{C:\my documents, Z:, http://sharepoint.com/contacts}

If the rule is satisfied, the list of resources described by the rulewill be added to the list of references generated by the algorithm.

Rules (terms) declare that an action may or may not be performed, andmay be positive or negative. That is, Rules may be “permissive” orpositive i.e. define resources to be deemed accessible, and operationsto be permitted. Some rules may be negative, i.e. ‘Deny’ rules, in that‘if Bob is using his PDA then don't let him access this data.

EXAMPLE RULE 1

<Members>    <user Bob>    <user James>    <group Sales> </Members><Resources>    <feature DownloadFiles = true>    <resource\\FILESERVER\Legal\Forms\ name=“My    Forms’/> </Resources>

Sample Scenario:

Bobs company has 36 workstations, 4 file servers, several contact lists,and SharePoint. In the office, John has bookmarks and logon scripts togive him access to these things.

One of his file servers contains sensitive data that should not beaccessible outside of the office. One of the contact lists containsinformation for all of his customers.

Bob has a folder on a file server that contains pictures of his kids,and he likes having this handy.

Using Mobile Documents, Bob would be presented with a list of 3 fileservers, a folder for pictures, a contact list, and a SharePoint portal.The workstations and forbidden file server would not appear.

EXAMPLE RULE 2

<Members>   <user value=“John Smith”/>   <group value=“Administrators”op=“or”/>   <group value=“Sales and Marketing” op=“or”/>   <groupvalue=“Authenticated Users” op=“and”/> </Members> <Resources>  <download value=“true”/>   <path value=“C:\temp\”/ name=“Temp items”type=”folder”   access=”rwxmde”/>   <path value=“C:\%firstname%\”/name=“Z:” type=“disk”/>   <path value=“http://sharepoint/site1/contacts”name=“contacts” type=“spcontacts” access=”rwxmde”/>   <pathvalue=https://mailserver/exchange/ %mailboxname%” name=“Mail” type=“ex”access=”rd”/>   <path value=“http://sharepoint/site1/clients”name=“client contacts” type=“spcontacts” access=”rwxmde”SearchIndex=true/> </Resources>

In this sample, if someone is in the Authenticated Users security group,AND the user John Smith, a member of the directory security groupsAdministrators, or a member of the security group Sales and Marketing,they are permitted to:

-   -   Download files from the resources specified.    -   Access the folder C:\temp, where he/she may read, write,        execute, modify, delete and email the data within a folder.    -   Access the folder C:\% firstname %, where firstname will be        substituted for the users first name    -   (i.e. C:\John)    -   Access a SharePoint contact list where he/she may read, write,        execute, modify, delete and email data within the list of        contacts.    -   Access an Exchange mailbox, where the mailbox name is        substituted for the user's mailbox name    -   (i.e. https://mailserver/exchange/John.Smith@WICKSoft.com/) and        may read or delete entries    -   Perform a search for a contact from their mobile device, whereby        the contact list ‘Clients’ will be automatically indexed as part        of the search operation.

An important feature of the rules in this embodiment is that they allowspecification of subsets of existing resources even within the samesystem. As an example, in SharePoint, each user may specify just onecontact list for mobile access, even though a user may have otherwisehave access to 5 contact lists, which provides a level of granularitywhich is not presently available within Sharepoint.

By default, access permissions may be set initially so as to blockaccess to all resources from all mobile users. Rules may then beinitiated by the IT administrator to selectively enable access to groupsof mobile users according to appropriate access policies for each group(the rules may alternatively be referred to as publishing rules). Unlikeconventional access policies in which access permissions for a specificuser must be set for each specific resource, access Rules are preferablymanaged on the basis of group membership(s), to reduce administrativeoverhead for IT administrators, enabling much more rapid initial set upof the system.

Referring to FIG. 3, section 1, to determine membership groups, thesystem stores, for look-up and retrieval, a set of criteria orattributes required to be associated with a user for acceptance formembership of each group 412, i.e. what attributes are required tosecure membership of a particular group.

Also stored is a list of one or more Rules 504, which as explainedabove, may comprise membership lists providing high level descriptors ofmemberships, and resource and operations lists, providing high leveldescriptors of accessible resources and permitted operations associatedwith each resource.

To access a list of available network resources stored on an enterprisenetwork, a mobile user 5 launches Mobile Documents on the client 10(handheld or mobile device), presents an identifier, and isauthenticated, e.g. is presented with a logon screen and prompted for auser id and password, which are sent to the Mobile Documents server(FIG. 7A).

Optionally, authentication may be provided using a fingerprint, otherbiometric identifier, or other unique user ID and identifier using anyother suitable known method, depending on the security level ofauthentication required.

Referring to FIG. 3, Section 1, the server accepts the identifier, i.e.User ID and password, and authenticates the user (step 402). If the useris authenticated, the user ID is used to associate the mobile deviceuser with data stored in existing directories (408) (e.g. a MicrosoftActive Directory, Novell e Directory or LDAP director or otherdirectory). That is, information is looked up and retrieved from thedirectory 408 based on the authenticated user ID at step 404 andinformation retrieved may include a list of attributes, such as firstand last name, department, role or roles, status, authority level, orother user attributes, which are used to determine one or more groupmemberships of the mobile user. The attributes associated with eachgroup membership are stored at 412. That is, system stores at 412, forlook-up and retrieval, a set of criteria or attributes required to beassociated with a user to secure (or qualify for) membership of eachgroup.

Information retrieved from the directory is stored in a temporary record410 as will be described further with reference to FIG. 4. When the userID is received from the mobile device 402-1, the user ID is used toconstruct data that is used to query an existing directory 402-2.Although an enterprise typically uses one directory type, the MobileDocuments application preferably supports multiple directory types andthe initial step 404-3 is a query for what type of directory. Once thedirectory type is determined, a query is then made to the directory 6 toobtain data associated with the user based on initial data obtained atstep 402-2.

Since multiple directory types may be supported, if required at 406, theinformation retrieved from the directory is translated into astandardized or normalized format that is independent of directory type,for further processing. That is, data received from the directory isexamined and re-encoded as required into a normalized format, and dataelements are added to an internal list (temporary record) to compile alist of normalized user information. This data is stored in a temporaryrecord at step 410. Stored at 412 is a list of attributes or acceptancecriteria associated with each of a plurality of group memberships. Eachgroup membership is also associated with a rule defining a permitted setof resources, and associated actions or operations. Rules are stored at504.

Referring to FIG. 3, section 2, in steps 502 to 512, for each Rule orlist of Rules 504, rules are checked against acceptance criteria forgroup membership 412, to determine if a user is accepted as a groupmember. If accepted as a group member, the associated list of resourcesfor the group is added to a list of accepted or permitted resources,i.e. a list of descriptors of accepted resources and associatedoperations. If not accepted, the next rule is checked until all ruleshave been checked. The resulting list of descriptors comprises allaccepted (permitted) resources for each of the groups that the user isaccepted as a member. The list is used to generate the accepted resourcelist 602, which is then made accessible to other processes forsubsequent operations.

Referring to FIG. 5 (Section 1), these steps are shown in more detail.At step Information retrieved from the directory is compared to the setof Rules, which determine acceptance or denial criteria for a specificset of network resources. Criteria may include, e.g.:

-   -   Security group membership    -   Network user ID    -   Time of day    -   Location

The set of network resources can be statically defined (C:\myfiles) ordefined dynamically using data stored in the existing directory asparameters (C:\<firstname>.<lastname>\)

Network resources that have met the acceptance criteria are stored in alist e.g. [MOBILE LIST] as a set of references, e.g. paths to files, website addresses, database locations, et al.

A rule may also contain a directive which tells the mobile device a‘friendly name’ of the resource. i.e. ‘C:\my documents’ should bedisplayed as ‘My documents’.

This list may then be delivered to the mobile device, or optionally,used as acceptance or denial criteria when compared to another resourcereference (e.g. the list says Bob has access to C:\my docs, andhttp://sharepoint. He is asking for C:\my docs; is this okay?), or usedas a list of places to search for a particular resource type If theresponse is positive, the list would then be delivered to the mobile orother calling operation. That is, a list may be used in anotheroperation, such as search or verification, instead of, or beforedelivering it to the mobile device. Otherwise a message indicating theresource is not available, or other error message may be delivered.

As shown in FIG. 1, resources to which the user may desire access mayinclude many different and diverse resource types, e.g. contact lists,shared calendars, Word documents, pdf documents, Sharepoint, in additionto email related resources. The set of rules defines a domain ofallowable resources, and as mentioned above rules may allow forselection of only part of portal.

Optionally, rules may provide for an indication of resource type may bedisplayed with the listing of one or more resources, or a list of typesof resources may be presented to the user for selection by the user.

Allowable operations or actions may be limited to viewing documentsonly. In some instances it may be preferable to allow read access only,with no capability for downloading or storage of data on the mobiledevice. In other instances, other actions or operations maybe desirableor permissible, and rules may be set e.g. so that editing or downloadingof documents may be permitted. Beneficially synchronization ofaccessible resources, e.g. contacts or documents, with the mobile devicemay be permitted. For example, periodic synchronization permits a userto have up to date information on accessible resources or for storedinformation to be updated.

When determining group membership, i.e. whether an authenticated user isa member of a particular group, the criteria include user ID and atleast one other attribute or additional data which is retrieved from thedirectory, in Section 1 of the process. Criteria may also include otherdata supplied by the user, from the mobile device or other informationinstruction, data, resource ID from other sources.

When each group membership for a user has been determined, access Rulesfor resources may require a Boolean evaluation or association of groupmemberships to determine the set of accessible resources and associatedoperations for the authenticated user. A user may have many differentroles or identities which provide membership to many groups. As a simpleexample, a user may have membership of one group that provides read onlyaccess to a first resource, but may also have membership of anothergroup that provides write access to the first resource and otherpermissions for other resources; the user may additionally havemembership of a third group that restricts access to a subset ofresources that may otherwise be accessible to the second group exceptfor remote or mobile access from specific locations or at certain times.

Referring to FIG. 3, section 3: optionally, other data from the mobiledevice, or the system, may be retrieved at step 402, or independently atstep 700, e.g. an instruction, data, resource ID, et al. The data aremade accessible, with the accepted resource list, to subsequentprocesses 604.

As an example, a list of resources may be presented to the user allowingthe user to select a resource, or request an operation, or alternativelythe interface may issue a prompt to the user for a selection oroperation. As shown in FIG. 7B, a list of resources is presented to theuser in the form of a menu. As is conventional, when a user right clickson a selected resource a menu of permitted operations associated withthe resource are presented such as view, download, edit, copy, etc. sothat the user may select an action to initiate a subsequent process.

Optionally, the list of accessible resources may present an indicationor description of a resource type along with a listing of the resource,for example by providing a path and a resource type, e.g. indicating, aresource is a Sharepoint portal, or is a contact list within Sharepoint.

Also optionally, the list of accessible resources may be used todetermine where to look for certain types of information. For example, amobile user may want to find all contacts from a specific company—therules would determine which resources contain contacts, and/or which ofthose the search should be conducted in. Thus, resources may be indexednot only by resource type indicator, but other criteria or indicators ordescriptors, so that a list of a subset of accessible resources may begenerated meeting particular criteria, e.g in this example, a list ofaccessible resources of one or more contact list or types or sources forincluding in a contact search. Or, in performing an operation on a listof accessible resources, only those resources indexed with one or morespecific indicators or descriptors may be included. For example in theembodiment described above (page 17) a specific subset set of contactslist “Clients” may be indexed (tagged0 for mobile access, although theuse may otherwise have access to several 5 contact list throughSharepoint. Referring to FIG. 6, a Resource Trust Verification(validation) step may optionally be implemented. This is a validationstep that involves receiving at step 3-1 a type of operation request, alist of accepted resource descriptors from 2.13, and if applicable,other data from the mobile device (e.g. an instruction, data, resourceID). In response, to a request to list resources, a list of resourcesaccessible to the mobile device based on some identifier in section 1,may be sent directly to the process which delivers the list of resourcesand operation descriptors to the mobile device. In response to a requestfor another operation, an operation may be carried out, such as “getcontents of the resource for viewing” or “write data to a specifiedresource”. If required, automatically, or on user request, a resourcetrust verification step may be carried out 3-5 where a list is sent tothe process which validates a supplied resource &/or operation against atrusted list of accessible resources (whitelist). Alternatively therequested resource may be checked against an untrusted list (blacklist)and if there is a match the request may be refused, blocked, or an errormessage generated. During resource trust verification, optionally aresource type or list of resource types may be displayed for selectionor verification by the user, before access to the resource is provided.

Although this embodiment is described for a system supporting aBlackberry™ device or a Blackberry™ connect enable device, the system iscompatible with mobile devices such as a Blackberry™ or other smartphone or PDA, car computer or other mobile computer, which normallyconnects via a service provider to a wireless voice and/or data service.

The system may also facilitate secure access to network resources ofdifferent types for wireless enabled laptops or mobile computers when awired Internet connection is not available or is not convenient.

Beneficially, when synchronization of accessible resources with a mobiledevice is permitted, access to up to date information from accessibleresources may be facilitated in case there is a network connectionfailure or service interruption. In an emergency management scenario,synchronization may permit emergency works to obtain periodic updates ofinformation such as contacts, or emergency instructions, alerts, orcontact information in other forms, availability of personnel to theirmobile device.

For an organization without BES, Mobile Documents may be implemented ona Mobile Documents server within the enterprise network in conjunctionwith service provider Blackberry™ server or other server. Alternatively,contract or outsourced personnel may benefit from the Mobile Documentssolution via a web accessible server without requiring access to a BESwithin an enterprise network.

Mobile Documents service may alternatively be offered through a serviceprovider which provides a common point of entry and would route to acustomer's Mobile Documents server (FIG. 8).

In summary, the method

-   -   a. compares information        -   i. sent from the mobile device        -   ii. contained in a directory (such as an LDAP directory or            database)        -   iii. contained in rules    -   b. and determines if a rule has been satisfied positively or        negatively.

Support for Multiple Directory Types

Referring to FIG. 4, section 1, although typically an organization willuse only one directory type (e.g. a MAD, LDAP, eDirectory or other), theMobile Document application is preferably enabled for multiple directorytypes, and in the initial step of retrieving information from thedirectory issues a query for what type of directory. After determiningwhat type of directory, the directory is queried for data associatedwith the authenticated user ID, and data received from the directory inresponse. Data received from the directory from the previous step isexamined, and re-encoded into a normalized format if required, and addedto a list in the form of a temporary record. If there is more data, theadditional data received is examined and re-encoded to create a list ofnormalized user information which are stored in a temporary record,comprising the user ID and other information received from thedirectory.

Check Rule

Rules are then retrieved from the file, database, or memory, etc, andthen for each rule a rule check is performed (i.e. rules are resolved),based on rule acceptance criteria (e.g. security group membership)received from the temporary record in the previous step. For each ruleacceptance criteria when the user data meets the required criteria, anadd resource step is performed. For each resource/operation descriptionin the rule a parameter substitution is performed if any, and then theresource/operation description and other information (display name,type, etc, to the list of accepted resources.) The check rule steps arerepeated for each rule and rule acceptance criteria, thereby generatinga list of accepted resources and/or operation descriptors. The list ofaccepted resources is then made available to other processes.

Resource Trust Verification

Referring to FIG. 6, section 3: when a request for a resource n isreceived from the user, a response providing corresponding data (whichmay e.g. be a list, contents of a file or other information, e.g. a pathto a file or other resource) associated with accessible resources isreturned or is delivered to the mobile device.

On receiving subsequent user input from the mobile device for a specificresource or operation, a step of validation is performed. That is thelist, resource descriptor and/or requested operation, is sent to aprocess that validates a supplied resource against a list of accessibleresources. Optionally, information presented may include an indicationor description of a resource type with a listing of a path or resourcename. Alternatively a listing of resource types may initially bepresented to the user for selection or validation before presenting tothe user a list of available resources of the selected type.Additionally or alternatively in response to an operation request, therequest may be sent to any other process which may require a list ofaccessible resources and operations.

Thus security encompasses steps of authentication, application ofsecurity policy, publishing of the rule or rules, application of othersecurity policies, e.g. windows policies and checking with respect to aWindows access control list.

Based on the rules (terms) a resource may be displayed, interfaced,blocked, denied to a user or users.

Groups Definitions

Multiple Rules (terms) or a collection of Rules (terms) may need to besatisfied before a resource or collection of resources that may havebeen explicitly stated or stated as a result of the evaluation of a termcan either be displayed, allowed, blocked, etc.

Multilayer Security

By using the BES, or an existing VPN, with Enterprise activatedhandhelds a secure connection is already present.

Since the Mobile Documents server does not need to be accessible fromthe Internet or even internal computers, it is possible to restrict thepoint of entry to verified assets (e.g. authorized Enterprise activatedhandhelds). This is similar to restricting an IPSEC VPN to a specificMAC address, only with a higher level of obfuscation.

Preferably, instructions between the Mobile Documents client, running onthe Blackberry™ handheld, and the Mobile Documents server that residesin the intranet, are transmitted by a proprietary communicationsprotocol that provides no mechanism to execute remote programs ormanipulate a database, and can only convey simple end user operationssuch as “list the contents of a folder”.

These different levels of security contribute to thwarting externalthreats that attempt to monitor, intercept or modify data communicatedbetween the handheld and the intranet.

The cryptographic layers protect network traffic all the way from theinternal Mobile Documents server out to the hand held device.

Using this security protocol provides the following benefits:

-   -   Existing security resources, such as content scanners, MDS,        Microsoft ISA Server, and other Firewall products continue to        take effect.    -   Deployment requirements—and therefore the security impact—are        reduced because the protocol tunnels through standard HTTPS.    -   The limited scope of the Mobile Documents™ protocol makes it        almost impossible for a standard Windows worm (like an SQL        injection exploit) or Trojan to propagate through the system.    -   If upload of information is not required, the protocol may be        made exclusive to Mobile Documents™—in other words, other        applications cannot use the protocol. Then system is highly        resistant to tunneling efforts, such as running a torrent,        remote desktop application, or some other network utility across        the same protocol. For example: an end user could not setup a        program like VNC within the Intranet and then use the system to        access VNC, thus circumventing security measures. Such a        protocol will not facilitate tunneling or hijacking by other        applications.    -   This protocol is highly conducive to policy enforcement. In this        way WICKSoft Mobile Documents™ provides additional layers of        security, which will be discussed later, that are context and        content sensitive.

Application Level Security

All data that moves through the system goes through the same set ofchecks and balances before being passed on to the internal network. Onlyafter these checks and balances have been satisfied will a givenoperation be performed on the internal network.

Authentication

The first check is authentication. Preferably, all users must loginusing their identification for each and every operation before beingprocessed. After authentication by the Mobile Documents™ server a, allprocesses within Mobile Documents™ are undertaken as if the user werelogged in to the local network as that user. If an account is disabledor modified in Active Directory, or Novell eDirectory, then the changeswill be reflected in real-time. Requests will be allowed or rejected byboth Mobile Documents™ and the Operating System based on currentdirectory information.

Security Policy

The second check is against the access rules, which restrict access tospecific resources, and set security policy for mobile access. Asdescribed above, access permissions are determined by access rulesassociated with user group membership which are specifically designedfor remote access applications. Access rules can be customized torestrict access by users and groups to:

-   -   Machines    -   Shares    -   Files and Folders    -   Web resources    -   File types

Additionally, all requests must pass a sanity tests, (e.g. to excludeunacceptable resource descriptors or to test that a minimum set ofrequirements is met) which guard against certain intrusion attempts.

Publishing Rule

The third check is made with respect to publishing rules. Administratorsmust explicitly allow network resources to be made available to endusers. In this way the risk of accidentally exposing sensitive resourcesis mitigated. Keep in mind that internal security policies (mentionedearlier) override publishing rules, mistakenly providing access to anotherwise explicitly denied resource (or user) will not compromise thesystem.

Windows and Novell Security Policies

Once a user logs in to Mobile Documents™ they are subject to all of thesecurity constraints implemented at the Intranet level. In this way aMicrosoft Security Policy will affect and constrain a Mobile Documents™user as if the user were accessing the Intranet locally.

Windows and Novell ACLs

At no point will Mobile Documents grant a user access to something theydo not have sufficient rights to access. Mobile Documents™ honors allMicrosoft Windows and Novell ACLs at both the share and folder level.These ACL (Access Control List) checks ensure that the end user will notbe able to do something that they couldn't otherwise do from the office.

Application Layer Security Summary

The application security layer, with its multiple checks and balances,makes it very easy to lock down the mobile enterprise. Basic built-insanity checks which cannot be overridden, ensure that relative pathreferencing, local paths, and certain other aberrant access types arenot permitted to flow throughout the rest of the system. A failure atany one point along the sequence immediately invalidates a clientrequest and is logged to a special security log.

The entire secure channel ultimately provides a level of data andapplication control that facilitates only the operation of MobileDocuments™, but no other applications.

Handheld Level Security

The Blackberry™ Wireless Handheld is provides an inherently secureoperating environment and Mobile Documents™ leverages and enhances thisinherent security. Mobile Documents™ provides the following securityfeatures on Blackberry™ and other handhelds

-   -   File downloading is disabled by default. If administrators        choose to enable downloading in both the server-wide security        policy, and specific publishing rules, then clients may store        information on their PDA. Security policies and publishing rules        can restrict downloading to documents deemed safe for transfer        to a PDA.    -   Unless downloading is enabled, at no time is sensitive data ever        stored on the handheld, a SIM card, or other portable storage        device.    -   All e-mail messages sent using Mobile Documents are sent from        within the corporate intranet, and do not travel over the air.        When used in conjunction with Microsoft Exchange, Mobile        Documents acts as if the user sent an email message from their        desk, even leaving a copy of the outgoing message in the user's        ‘Sent Items’.    -   Mobile Documents honors the automatic lock-out during periods of        inactivity that is provided by the Blackberry™.    -   Mobile Document provides an independent automatic lockout so        that Mobile Document will become locked after a period of        inactivity.    -   Optionally, transferred of data from an external source can be        restricted or disabled. This provides immunity to Bluetooth born        viruses and worms, and protects against MIDP and handheld based        Trojans.

Security Model

Security is approached from three distinct levels. The first is the datatransfer level, the second is the application level, and the third isthe handheld level.

Data transfer level: traffic may be susceptible to monitoring, and whereworms, viruses, and attackers may attempt to gain a remote point ofentry, ensure that a secure tunnel is created and maintained from thehandheld directly to the Enterprise.

Application level security: a policy based approach to ensure sensitivedate never leaves the office and that only operation deemed “safe” froma mobile device are possible. Mobile VPN technology must ensure thatusers cannot accidentally distribute, remove or otherwise tamper withsensitive information and other network resources.

Handheld level: the mobile VPN must be able to effect changesimmediately, even if the handheld is turned off. This provision isnecessary to ensure that stolen or misplaced assets can be disabledimmediately, and sensitive information is not left behind.

These three levels provide a secure channel between the Blackberry™ andthe Intranet, and a secure platform through which to operate.

Multilayer security access features mean that access can be restrictedto any network resources, for any use, be it Novell, SharePoint,Windows, or some other document management system

Emails sent using Mobile Documents are routed internally, just as ifthey were sent from a desktop sitting in the office.

Existing security infrastructure, like content scanners, and ACLs willalso work with Mobile Documents.

Thus, systems and methods according to embodiments of the presentinvention are provided that delivers a secure channel to the enterprisenetwork that facilitates mobile document access while reducing risk ofexposure of the corporate network to external threats. Enterprisesecurity management features allow administrators to control mobile useraccess to network resources.

Advantageously, extensive logging allows for continuous auditing of manyaspects of deployment. Full access traces and security notificationpermit the administrator to closely monitor activity.

By leveraging existing infrastructure, embodiments of the invention canintegrate seamlessly with the mobile enterprise while providing anenhanced level of security and access control. If required, rules may beimplemented so that sensitive data is never stored on the handheld, anddata transfers (such as file management, and e-mail attachments) do nottravel over-the-air. Existing security infrastructure is applied tomobile user.

A proprietary protocol ensures existing security threats, such as wormsand viruses, do not hijack or tunnel through the secure MobileDocuments™ channel. Mobile Documents allows mobile users to securelyview, email, fax, download and manage documents located in SharePoint,Novell Teaming+Conferencing, both Microsoft and Novell File servers,WebDAV, and document management systems. Thus, much of the functionalityof the desktop is transferred over to the handheld.

Resources of many different types may be supported and interfaced to themobile user's device, for example:

-   -   MS Sharepoint Lists    -   Novell Teaming+Conferencing    -   ACOM    -   Exchange, Exchange Public Folders, Exchange Delegate Folders    -   WebDAV    -   Many EDM and DMS

Other capabilities for example include mobile access to third party webportals, e.g. Paper IQ, by passing credentials from a handheld to thePaper IQ server, or other hosted webserver.

Example: Sharepoint Integration

Beneficially, this integration of multiple resource types enables amobile user to perform many operations that were no previously availableto mobile users. For example, Sharepoint provides a document repository,process workflow, collaboration. A user may send someone an emailcontaining a link to a file from an application such as SharePoint,permitting the recipient to click on the link in his or her Blackberry™email, and open the document up almost instantly. The user may accessalmost any list in SharePoint and navigate and search through contacts,access attachments and document libraries Nothing is cached orreplicated so mobile users always have access to the most up to dateinformation in SharePoint.

Whether using Sharepoint or other applications/environments, documentsmay be emailed as attachments, or with links to allow download of filesfor editing on the phone or on a laptop, copying files to other serversinternally, and collaborating with co-workers regardless of location.Preferably, full fidelity document viewing provides for fonts, charts,graphics, and spreadsheets to appear as they would from a PC.

As other examples, rules may similarly be established to allow a mobileuser to perform many other tasks such as:

-   -   Access links to documents in email, just like on a desktop.    -   Access SharePoint documents directly and securely.    -   Access Exchange Public or Delegate folders from a Blackberry™.    -   Search an Exchange inbox for an older item.    -   Access files on a network file server (e.g. U:, T:, Z: or and        other common network drives).    -   Use Novell's newest collaboration tool, Novell and        Teaming+Conferencing, from the Blackberry™.    -   View documents in full fidelity, just like on a desktop.    -   View an attachment to a meeting in an Exchange folder.    -   Mobile access to ACOM's EZContent Manager to manage, download,        fax email and view enterprise documents

Beneficially, the Mobile Documents middleware may be installed andoperated without changes to Domain controllers, eDirectory, or BES.Existing users, groups, policies remain intact without any modification.

File transfer not restricted to file type, e.g. may be adapted to workwith many common file types: pdf, MS Word, Excel, Powerpoint, Wordpad,rtf, jpeg, and other known file types. Download of files is preferablyand, optionally, enabled by an administrator. Editing may be providedthrough third party applications. If files are downloaded they may betransferred and edited on laptop or desktop.

Mobile Documents Server, does not require a dedicated server, and mayrun in virtual environments. For example the Mobile Documents middlewaremay reside on the BES or on a separate server. Multiple Mobile Documentsservers may be provided for load sharing and load balancing. The serverhosting Mobile Documents may be located almost anywhere in the network.Multiserver mode, load balancing, geographic data routing and fail saferedundancy are supported.

Other Features:

Containers

Rules allow administrators to set rules base on Boolean evaluation orassociations of group memberships (e.g. Bob is a member of Group A AND(Group B OR Group C); Bob is a member of Group A AND NOT Group C.Accessible resources may be displayed in containers including resourcesassociated with membership of a particular group, e.g. so that a user isaware of which resources other members of the same group can see orotherwise access.

Tokens

If for example a user has multiple IDs, an ID token may be used toindicate the type of authentication and a resource may includeinformation describing what kind of ID is required to access a resource,or perform an operation or action. ID Tokens may require credentialsfrom another source, and be managed from a central source.

Proprietary Protocol

To manage access to multiple types of resources, the protocol forcommunicating resource information between the client and server must berobust enough to define many different types of resources in astandardized format. For example, some resources have a hierarchicalfile system, whereas a database may have a relational data structure.Consequently the protocol provides a way of representing different typesof resources in a common format for transmission of information betweenthe server and the device. It is translated into a common language, andpresentation of information to the user through an appropriate userinterface on the mobile handheld device. For example, the interface maydisplay information such as a resource description, a name to bedisplayed, what picture to display, and actions, i.e. what can be donewith the resource

Resource Trust Verification

Every resource, no matter how it is accessed is put through a strict setof checks to help prevent fraud, enforce corporate and legal policy.This validation step reduces risk of phishing and other maliciousactivities

The user ID and link information are checked to see if the link is anallowed resource and if the resource resides on a trusted list. Inresponse a yes/no decision is made to determine if the resource may beshown and/or accessed. For example, a response may be sent to therequestor to indicate whether or not the resource is on a trusted list,allowing the user to select the next action, or if the resource is on atrusted list, the resource may be displayed or requested informationsent directly to the requestor.

Since management of security is focused in the server and throughsection 2 Rules, there is no need for a security audit for each and noneed for knowledge of each application.

Multiple Resource Types

While the embodiment described above provides a comprehensive range offeatures supporting multiple directory types and multiple resourcestypes, in some applications a simplified version for accessing a subsetof resources or only one directory type may be acceptable. However,advantageously, support is provided for multiple resource types,overcoming limitations of alternative solutions, which support only onetype of resource, e.g. Windows file servers, but which cannot supportother resource types.

Multiple Directory Types

Although most organizations use only one directory type, preferably,multiple types of directories are supported, and an initial step queriesfor a directory type, and then provides for translation of directoryinformation into a common standardized format. Thus one version of theapplication may be implemented universally for most common directorytypes.

Access Rules

Mobile documents defines rules for access and for actions with respectto each type of resource or subset of resources. Rules may be setdependent on other data such as location (e.g. from GPS) &/or time ofday (local time or server time) received from the server, or mobiledevice or other sources. Thus rules may be dynamically determined. Asmentioned above any changes to user group memberships, or otherattributes stored in a directory are applied in real time. Wheresynchronization is enabled, or is a permitted operation, up to dateinformation may be exchanged with the mobile device to ensure a user hasaccess to current documents, contacts, or other information. Thus, if aresource is temporarily unavailable, a user has a recently updated copyof the information on the mobile.

While the term “user” in the above description refers to a person, theuser may more generally be any entity such as an individual or a device,for example identified by a unique profile or description of a device, ageographic location, or a temporal descriptor. A mobile device may beany communication device, such as laptop with wireless connection, PDA,Blackberry™, or for example a car computer or other communicationsdevice in a vehicle, or other managed corporate resource.

In a multi-domain environment, beneficially an access or publishing rulemay include a network identifier associated with a network resource toindicate which network domain a resource belongs to. An identificationor authentication token may also be used since a user authenticated inone domain may require re-authentication in another domain.

Mobile documents is not capable of overriding existing network security,so all of Windows, Novell and SharePoint ACLs will still take effect

INDUSTRIAL APPLICABILITY

A scalable and flexible solution is provided comprising a system andmethod for managing mobile access to enterprise network resources. Usersmay securely view, email, fax, download, modify and upload, or otherwisemanage documents located in their office, including documents in Novelland SharePoint, directly from their Blackberry™ smart phone or othermobile wireless handheld device.

Thus, mobile professionals, travellers, emergency workers, who needaccess to their documents and files from anywhere are provided with fullmobile document access. Users may have access to all documents as ifthey were sitting in their office. Alternatively, for business orsecurity reasons, IT administrators may restrict access to allow accessto only a subset of resources for mobile users.

Administrators have extensive control over an organization's mobileenvironments, and the system is easily and rapidly deployed. Two factorencryption and multilayered policy based security models, applicationlevel access control, directory integration and enterprise securitymanagement may be provided.

Although embodiments of the invention have been described andillustrated in detail, it is to be clearly understood that the same areby way of illustration and example only and not to be taken by way oflimitation, the scope of the present invention being limited only by theappended claims

The invention claimed is:
 1. A method for managing user access from awireless mobile device to a plurality of network resources comprisingdocuments and files within an enterprise network, wherein the enterprisenetwork comprises a security infrastructure for managing internal useraccess from within the enterprise network according to an internalaccess policy, and wherein for access from a wireless mobile user devicethe method comprises the steps of: determining group membership of auser based on a user ID and attributes of the user, each group havingassociated therewith a set of resources and associated operations formembers of the group; determining access rules for the user based oneach group membership of the user; generating a list of accessibleresources and associated operations for the user based on said accessrules; and making said list available to a subsequent process forperforming an operation on an accessible resource in accordance withsaid access rules comprising one or more of displaying and otherwiseinterfacing said resource to the user for one or more of read, write,execute, modify, delete, email, download, and synchronize operations. 2.The method according to claim 1 5, wherein said network resourcescomprise network resources of different resources types, and comprisinggenerating said list of accessible resources and operations for the usercomprising accessible resources of a plurality of different resourcetypes.
 3. The method according to claim 1 5, further comprising aninitial step of receiving from a user credentials comprising a user ID,and authenticating the user.
 4. The method according to claim 1, furthercomprising retrieving directory information associated with said user toobtain attributes of the user associated with said user ID.
 5. Themethod according to claim 4, further comprising: A method for managingnetwork resource accessibility of user access from a wireless mobiledevice to securely interoperate with a plurality of network resourcescomprising documents and files within an enterprise network, wherein theenterprise network comprises a security infrastructure for managinginternal user access from within the enterprise network according to aninternal access policy, and wherein, for the user access from thewireless mobile user device, the method comprises the steps of:determining group membership of the mobile user based on a user ID andattributes of the mobile user, each group having associated therewith aset of resources and associated operations for members of the group;determining filterable access rules for the mobile user based on eachgroup membership of the mobile user; generating a list of accessibleresources and of associated operations for the mobile user based on saidaccess rules; making said list available to a subsequent process forperforming an operation on an accessible resource in accordance withsaid access rules comprising one or more of displaying and otherwiseinterfacing said accessible resource to the mobile user for one or moreof read, write, execute, modify, delete, email, download, andsynchronize operations to thereby provide secure interoperation from themobile device to said accessible resource, and wherein access by thewireless mobile device is direct and real time; retrieving directoryinformation associated with said user to obtain attributes of the userassociated with said user ID; and before retrieving the directoryinformation, determining an applicable directory type of a set ofpossible directory types, and after retrieving said directoryinformation, re-encoding said directory information to a desired format.6. The method according to claim 1 5, further comprising initiating anoperation on an accessible resource in accordance with said accessrules.
 7. The method according to claim 1 5, further comprisingperforming a requested operation on a selected accessible resource. 8.The method according to claim 2, further comprising delivery of the listof accessible resources and operations to the wireless mobile device. 9.The method according to claim 8, wherein delivery of the list ofaccessible resources and operations to the user comprises presenting thelist of accessible resources and operations to the user via a userinterface of the wireless mobile device.
 10. The method according toclaim 9, further comprising presenting to the user a list of accessibleresource types, and A method for providing secure user access from awireless mobile device to interoperate with discrete ones of a pluralityof network resources comprising documents and files within an enterprisenetwork, wherein the enterprise network comprises a securityinfrastructure for managing internal user access from within theenterprise network according to an internal access policy, and whereinfor access from a wireless mobile user device the method comprises thesteps of: determining group membership of the mobile user based on auser ID and attributes of the mobile user, each group having associatedtherewith a set of resources and associated operations for members ofthe group; determining filterable access rules for the mobile user basedon each group membership of the mobile user; generating a list ofaccessible ones of the plurality of resources and of associatedoperations for the mobile user based on said access rules; making saidlist available to a subsequent process for performing an operation onthe accessible ones of the plurality of resources in accordance withsaid access rules comprising one or more of displaying and otherwiseinterfacing said accessible resource to the mobile user for one or moreof read, write, execute, modify, delete, email, download, andsynchronize operations, and wherein access by the wireless mobile deviceis direct and real time; wherein the plurality of network resourcesnetwork comprise network resources of different resources types,generating said list of accessible resources and operations for the usercomprising the accessible resources from the plurality of differentresource types; delivering the list of the accessible resources andoperations to the wireless mobile device, wherein delivery of the listof accessible resources and operations to the user comprises presentingthe list of accessible resources and operations to the user via a userinterface of the wireless mobile device; and receiving a user selectionor validation of a the resource type before presenting the list ofaccessible resource and operations.
 11. The method according to claim 9,wherein presenting the list of accessible resources and operationscomprises presenting an indication or description of a resource typeassociated with an accessible resource.
 12. The method according toclaim 9, wherein presenting comprises graphically displaying said liston the mobile device.
 13. The method according claim 1 5, furthercomprising validating one or more of an accessible resource, operation,or resource type before subsequent processing thereof.
 14. The methodaccording to claim 8, further comprising a step of validating anaccessible resource and/or operation in response to a request from auser before subsequent processing thereof.
 15. The method according toclaim 9, further comprising initiating a process to respond to a requestfrom the user for an operation on an accessible resource in accordancewith access rules.
 16. The method according to claim 15, furthercomprising responding to a request from the user for an operation on anaccessible resource comprising one or more of displaying and otherwiseinterfacing said resource to the user for one or more of read, write,execute, modify, delete, email and download and synchronize.
 17. Themethod according to claim 15, further comprising responding to a requestfrom the user for an operation on a resource by blocking or denyingaccess to said resource.
 18. The method according to claim 1 5, whereinsaid access rules are determined for a user based on a Booleanevaluation of rules for a plurality of group memberships of the user.19. The method according to claim 1 5, further comprising receivingadditional data from at least one of the system enterprise network andthe mobile device, and wherein said access rules are determined based onsaid additional information.
 20. The method according to claim 1 5,wherein said access rules are determined dynamically based on at leastone of one of a date and time of day and a location of the mobile deviceor a combination thereof.
 21. The method according to claim 1 5, whereineach access rule comprises a membership list and a resource and/oroperations list.
 22. The method according to claim 21, wherein amembership list comprises a high level descriptor defining criteria forwho may access associated resources and operations.
 23. The methodaccording to claim 21, wherein a resource and/or operations listcomprises high level descriptors of resources and/or operations.
 24. Themethod according to claim 1 5, wherein said access rule comprises a highlevel descriptor of one or more of a membership group, a resource, andan associated operation.
 25. The method according to claim 1 5, furthercomprising determining group membership of a user based on a tokenassociated with said user ID.
 26. The method according to claim 9,wherein displaying said list of accessible resources and operationscomprises displaying said list arranged by containers, each containercontaining a listing of resources and/or operations associated with arespective group membership.
 27. The method according to claim 9,wherein displaying said list of accessible resources and operationscomprises displaying said list by arranged by resource type.
 28. Themethod according to claim 6 A method for securely managing user accessfrom a wireless mobile device to interoperate with ones from among aplurality of network resources comprising documents and files within anenterprise network, wherein the enterprise network comprises a securityinfrastructure for managing internal user access from within theenterprise network according to an internal access policy, and wherein,for access from the wireless mobile user device, the method comprisesthe steps of: determining group membership of the mobile user based on auser ID and attributes of the mobile user, each group having associatedtherewith a set of resources and associated operations for members ofthe group; determining filterable access rules for the mobile user basedon each group membership of the mobile user; generating a list ofaccessible resources to the mobile user from among the plurality ofnetwork resources and of associated operations for the mobile user basedon said access rules; making said list available to a subsequent processfor performing an operation on the accessible resource in accordancewith said access rules comprising one or more of displaying andotherwise interfacing said accessible resource to the mobile user forone or more of read, write, execute, modify, delete, email, download,and synchronize operations, and wherein access by the wireless mobiledevice is direct and real time; initiating an operation on theaccessible resource in accordance with said access rules; and whereinthe accessible resources are indexed with an indicator of one or more ofresource type, other descriptor and selection criteria, and performingan operation on a the list of accessible resources comprises performingan operation selectively on resources indexed with a specific indicator.29. A client server system for managing access to a plurality of networkresources comprising documents and files within an enterprise networkfrom a wireless mobile device, wherein the enterprise network comprisesa security infrastructure for managing internal user access according tointernal access policies, and the client server system comprises: aserver within the enterprise network for managing wireless mobile accessby performing the steps of: receiving identification from a user of awireless mobile device; retrieving from a directory attributes of saiduser based on a user ID of the user; determining group membership of theuser based on said user ID and said attributes, each group havingassociated therewith a set of access rules defining accessible resourcesand associated permitted operations for members of the group; resolvingaccess rules for the user based on group membership and generating alist of accessible resources and operations for the user based on saidaccess rules; and making said list available for subsequent processingcomprising one or more of displaying and otherwise interfacing saidresource to the user for one or more of read, write, execute, modify,delete, email, download, and synchronize operations.
 30. The clientserver system according to claim 29, wherein said steps further compriseauthentication of the user.
 31. The client server system according toclaim 29, wherein said steps further comprise delivery of the list ofaccessible resources and operations to a client in the wireless mobiledevice.
 32. The client server system according to claim 29, furthercomprising a client in the wireless mobile device for displaying saidlist of accessible resources and operations.
 33. The client serversystem according to claim 32, wherein said client in the wireless mobiledevice comprises: an interface for presenting to a user a list ofaccessible resources of different resource types.
 34. The client serversystem according to claim 33, wherein said client further comprises aninterface for presenting to the user permissible operations associatedwith each accessible resource.
 35. A system comprising an access controllayer for an access server managing mobile user access to networkresources comprising documents and files within an enterprise networkcomprising processing means for performing the steps of: determininggroup membership of a user based on a user ID and attributes of theuser, each group having associated therewith a set of resources andassociated operations for members of the group; determining access rulesfor the user based on each group membership of the user; generating alist of accessible resources and associated operations for the userbased on said access rules; and making said list available to asubsequent process for performing an operation on an accessible resourcein accordance with said access rules comprising one or more ofdisplaying and otherwise interfacing said resource to the user for oneor more of read, write, execute, modify, delete, email, download, andsynchronize operations.
 36. The system according to according to claim35, wherein said network resources comprise network resources ofdifferent resources types, and comprising generating said list ofaccessible resources and operations for the user comprising accessibleresources of a plurality of different resource types.
 37. The systemaccording to claim 36, further comprising A system comprising an accesscontrol layer for an access server managing secure mobile user accessfrom a mobile device to interoperate with network resources comprisingdocuments and files within an enterprise network, comprising processingmeans for processing non-transitory computing code for performing thesteps of: determining group membership of the mobile user based on auser ID and attributes of the user, each group having associatedtherewith a set of resources and associated operations for members ofthe group; determining filterable and modifiable access rules for theuser based on each group membership of the user; generating a list ofreal time accessible resources and associated operations for the userbased on said access rules; making said list available to a subsequentprocess for performing an operation on an accessible resource inaccordance with said access rules comprising one or more of displayingand otherwise interfacing said resource to the user for one or more ofread, write, execute, modify, delete, email, download, and synchronizeoperations; wherein said network resources comprise network resources ofdifferent resources types, generating said list of accessible resourcesand operations for the user comprising accessible resources of aplurality of different resource types; generating a list of types of theaccessible resource types, resources; and receiving a user selection orvalidation of a resource type before generating the list of accessibleresources and operations.
 38. The system according to claim 36, whereinthe list of accessible resources comprises an indication or descriptionof a resource type associated with an accessible resource.
 39. Anon-transitory computer readable medium comprising executable programinstructions for carrying out a method of managing user access to aplurality of network resources comprising documents and files within anenterprise network from a wireless mobile device, by steps comprising:determining group membership of a user based on a user ID and attributesof the user, each group having associated therewith a set of resourcesand associated operations for members of the group; determining accessrules for the user based on each group membership of the user;generating a list of accessible resources and associated operations forthe user based on said access rules; making said list available to asubsequent process for performing an operation on an accessible resourcein accordance with said access rules comprising one or more ofdisplaying and otherwise interfacing said resource to the user for oneor more of read, write, execute, modify, delete, email, download, andsynchronize operations.
 40. The non-transitory computer readable mediumaccording to claim 39, wherein said steps further comprise performing arequested operation on a selected accessible resource.